检测本地二进制文件滥用行为

v20260601

detecting-living-off-the-land-with-lolbas

本技能提供了一套完整的检测生活在土地上（LOLBAS）恶意工具滥用的框架，可识别certutil、regsvr32等系统工具被恶意利用的行为。它结合了Sysmon和Windows事件日志的进程遥测数据、Sigma规则匹配以及父子进程异常分析，适用于安全运营中心（SOC）分析师和威胁猎手，以应对规避传统安全控制的复杂攻击。

网络安全威胁检测 LOLBAS Sysmon Sigma规则进程监控端点检测

获取技能

346 次下载

概览

Detecting Living Off the Land with LOLBAS

Overview

Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while evading detection. This skill covers detecting abuse of certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe, msbuild.exe, and other LOLBins using process telemetry from Sysmon and Windows Event Logs, combined with Sigma rule-based detection.

When to Use

When investigating security incidents that require detecting living off the land with lolbas
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon or Windows Security Event Log (Event ID 4688) with command-line logging enabled
Sigma rule conversion tool (sigmac or sigma-cli)
SIEM platform (Splunk, Elastic, or similar) for log ingestion
Python 3.8+ with pySigma library
LOLBAS project reference database

Steps

Establish LOLBin Watchlist — Build a prioritized list of monitored binaries (certutil, mshta, regsvr32, rundll32, msbuild, installutil, cmstp, wmic, bitsadmin)
Collect Process Telemetry — Ingest Sysmon Event ID 1 (Process Create) and Windows 4688 events with full command-line capture
Build Sigma Detection Rules — Create Sigma rules matching suspicious command-line arguments, network activity, and parent-child process anomalies for each LOLBin
Analyze Parent-Child Relationships — Flag unexpected parent processes spawning LOLBins (e.g., Excel spawning certutil, Word spawning mshta)
Score and Prioritize Alerts — Apply risk scoring based on argument anomaly, parent process, execution path, and network indicators
Generate Detection Report — Produce a structured report of all LOLBin abuse detections with MITRE ATT&CK mapping

Expected Output

JSON report listing detected LOLBin abuse events with severity scores
MITRE ATT&CK technique mapping for each detection (T1218, T1105, T1140, T1127)
Parent-child process anomaly analysis
Sigma rule match details with raw event data

信息

Category 数据科学

Name detecting-living-off-the-land-with-lolbas

版本 v20260601

大小 9.34KB

Source mukul975/Anthropic-Cybersecurity-Skills

更新时间 2026-06-03